From nobody Tue Dec 16 05:52:51 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B8F8528EA69; Wed, 7 May 2025 18:16:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746641781; cv=none; b=d3UmbsH3spG8+KWu/lVQSgJyc4bZ/ZyVqW7qnDcA7ZyWuVgeZqVy5G1ueOLC/sKEq0c6sGTSuNFBpIjHLj2n/vQHTkRen/sSXUqV56oLCU+H4TOBGhgMlkxy24bIaQWNq67rOfhiMA+ovihPYGJMWrrqEsKfCj1OSxxuoR3ovtM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746641781; c=relaxed/simple; bh=xnX44A875J5pRQUvuRYdVrdaj7yDpDUw7/gsLr5gEV0=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=EHtXzMtzmCTMjnfW7DvBw0sX4dH2CvIf8TKah2QRPzr8Qg5XPugONCi+nhKjh3BvK6u1z9Y8YfdpGTkunlH/J6CZShRdQ+WI2Z6BaRk0/JuhRmSitNAH2kfxbL0Hlufk9tuR0kRtlxt7O+spEh7I2djmWw6d2PYYRMXYpqQE9jQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=A4eqnIX0; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="A4eqnIX0" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3ED36C4CEE9; Wed, 7 May 2025 18:16:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1746641781; bh=xnX44A875J5pRQUvuRYdVrdaj7yDpDUw7/gsLr5gEV0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=A4eqnIX0WcGjfLO8f+lyrjegUMgvsmMLqhO4ll1KzzZYKRzMmi7+eEVKV/+8tvPM5 hxrrNbPRWhrJ775N6k+nhWQOPm5h+LlXbfIPGrVGAiii2JAzRq8418udB3prr5lZw+ ULHj5lOFTNukYXAeeYvCpd7m1SM7sVvSpEiC6WN4Es69BLf3kK6rKwIBo5UzyB6KjW JpTUcvbeIfzLJ9MFn8nT7ECpHic6sTc3gfp7uCN1GHgA9GsqMPYbft9nTB5BfoxUuz kdFfHxHXiVN6l1iNoodNM/mXFbf6UXVMzigHyw8dFzw3664h/c9kcLohtjOZet7ZQ1 L3KyWZ1trbCGg== From: Kees Cook To: Arnd Bergmann Cc: Kees Cook , x86@kernel.org, linux-arm-kernel@lists.infradead.org, sparclinux@vger.kernel.org, linux-kbuild@vger.kernel.org, linux-hardening@vger.kernel.org, "Gustavo A. R. Silva" , Christoph Hellwig , Marco Elver , Andrey Konovalov , Andrey Ryabinin , Ard Biesheuvel , Masahiro Yamada , Nathan Chancellor , Nicolas Schier , Nick Desaulniers , Bill Wendling , Justin Stitt , linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-doc@vger.kernel.org, kvmarm@lists.linux.dev, linux-riscv@lists.infradead.org, linux-s390@vger.kernel.org, linux-efi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kselftest@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH 5/8] stackleak: Split STACKLEAK_CFLAGS from GCC_PLUGINS_CFLAGS Date: Wed, 7 May 2025 11:16:11 -0700 Message-Id: <20250507181615.1947159-5-kees@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250507180852.work.231-kees@kernel.org> References: <20250507180852.work.231-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=8800; i=kees@kernel.org; h=from:subject; bh=xnX44A875J5pRQUvuRYdVrdaj7yDpDUw7/gsLr5gEV0=; b=owGbwMvMwCVmps19z/KJym7G02pJDBnSi3P6lfhV/RXS7W7EXssK1NBnXdB5Ysnr/mVB/17fl nyiPW9uRykLgxgXg6yYIkuQnXuci8fb9nD3uYowc1iZQIYwcHEKwEQyLjMydM67eeZ867qfzziX yUjOl4pne5p24PVarrW6CwO/xaRWMDIyvKpsa9K/d9l+e0Fs3d97Xkl7JGyWBRS8mL1yzr8DbL3 FfAA= X-Developer-Key: i=kees@kernel.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In preparation for Clang stack depth tracking for stackleak, split the stackleak-specific cflags out of GCC_PLUGINS_CFLAGS into STACKLEAK_CFLAGS. Signed-off-by: Kees Cook --- Cc: Arnd Bergmann Cc: Cc: Cc: Cc: Cc: --- Makefile | 1 + arch/arm/vdso/Makefile | 2 +- arch/arm64/kernel/vdso/Makefile | 3 ++- arch/sparc/vdso/Makefile | 3 ++- arch/x86/entry/vdso/Makefile | 3 ++- scripts/Makefile.gcc-plugins | 16 ++-------------- scripts/Makefile.stackleak | 15 +++++++++++++++ MAINTAINERS | 6 ++++-- 8 files changed, 29 insertions(+), 20 deletions(-) create mode 100644 scripts/Makefile.stackleak diff --git a/Makefile b/Makefile index 5aa9ee52a765..1af8dfbcf0af 100644 --- a/Makefile +++ b/Makefile @@ -1089,6 +1089,7 @@ include-$(CONFIG_KMSAN) +=3D scripts/Makefile.kmsan include-$(CONFIG_UBSAN) +=3D scripts/Makefile.ubsan include-$(CONFIG_KCOV) +=3D scripts/Makefile.kcov include-$(CONFIG_RANDSTRUCT) +=3D scripts/Makefile.randstruct +include-$(CONFIG_STACKLEAK) +=3D scripts/Makefile.stackleak include-$(CONFIG_AUTOFDO_CLANG) +=3D scripts/Makefile.autofdo include-$(CONFIG_PROPELLER_CLANG) +=3D scripts/Makefile.propeller include-$(CONFIG_GCC_PLUGINS) +=3D scripts/Makefile.gcc-plugins diff --git a/arch/arm/vdso/Makefile b/arch/arm/vdso/Makefile index cb044bfd145d..f05a27909a76 100644 --- a/arch/arm/vdso/Makefile +++ b/arch/arm/vdso/Makefile @@ -26,7 +26,7 @@ CPPFLAGS_vdso.lds +=3D -P -C -U$(ARCH) CFLAGS_REMOVE_vdso.o =3D -pg =20 # Force -O2 to avoid libgcc dependencies -CFLAGS_REMOVE_vgettimeofday.o =3D -pg -Os $(RANDSTRUCT_CFLAGS) $(GCC_PLUGI= NS_CFLAGS) +CFLAGS_REMOVE_vgettimeofday.o =3D -pg -Os $(RANDSTRUCT_CFLAGS) $(STACKLEAK= _CFLAGS) $(GCC_PLUGINS_CFLAGS) ifeq ($(c-gettimeofday-y),) CFLAGS_vgettimeofday.o =3D -O2 else diff --git a/arch/arm64/kernel/vdso/Makefile b/arch/arm64/kernel/vdso/Makef= ile index 5e27e46aa496..d4f60027f910 100644 --- a/arch/arm64/kernel/vdso/Makefile +++ b/arch/arm64/kernel/vdso/Makefile @@ -36,7 +36,8 @@ ccflags-y +=3D -DDISABLE_BRANCH_PROFILING -DBUILD_VDSO # -Wmissing-prototypes and -Wmissing-declarations are removed from # the CFLAGS to make possible to build the kernel with CONFIG_WERROR enabl= ed. CC_FLAGS_REMOVE_VDSO :=3D $(CC_FLAGS_FTRACE) -Os $(CC_FLAGS_SCS) \ - $(RANDSTRUCT_CFLAGS) $(GCC_PLUGINS_CFLAGS) \ + $(RANDSTRUCT_CFLAGS) $(STACKLEAK_CFLAGS) \ + $(GCC_PLUGINS_CFLAGS) \ $(CC_FLAGS_LTO) $(CC_FLAGS_CFI) \ -Wmissing-prototypes -Wmissing-declarations =20 diff --git a/arch/sparc/vdso/Makefile b/arch/sparc/vdso/Makefile index fdc4a8f5a49c..d0cfaa2f508a 100644 --- a/arch/sparc/vdso/Makefile +++ b/arch/sparc/vdso/Makefile @@ -48,7 +48,7 @@ CFL :=3D $(PROFILING) -mcmodel=3Dmedlow -fPIC -O2 -fasync= hronous-unwind-tables -m64 =20 SPARC_REG_CFLAGS =3D -ffixed-g4 -ffixed-g5 $(call cc-option,-fcall-used-g5= ) $(call cc-option,-fcall-used-g7) =20 -$(vobjs): KBUILD_CFLAGS :=3D $(filter-out $(RANDSTRUCT_CFLAGS) $(GCC_PLUGI= NS_CFLAGS) $(SPARC_REG_CFLAGS),$(KBUILD_CFLAGS)) $(CFL) +$(vobjs): KBUILD_CFLAGS :=3D $(filter-out $(RANDSTRUCT_CFLAGS) $(STACKLEAK= _CFLAGS) $(GCC_PLUGINS_CFLAGS) $(SPARC_REG_CFLAGS),$(KBUILD_CFLAGS)) $(CFL) =20 # # vDSO code runs in userspace and -pg doesn't help with profiling anyway. @@ -79,6 +79,7 @@ KBUILD_CFLAGS_32 :=3D $(filter-out -m64,$(KBUILD_CFLAGS)) KBUILD_CFLAGS_32 :=3D $(filter-out -mcmodel=3Dmedlow,$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 :=3D $(filter-out -fno-pic,$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 :=3D $(filter-out $(RANDSTRUCT_CFLAGS),$(KBUILD_CFLAGS_32= )) +KBUILD_CFLAGS_32 :=3D $(filter-out $(STACKLEAK_CFLAGS),$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 :=3D $(filter-out $(GCC_PLUGINS_CFLAGS),$(KBUILD_CFLAGS_3= 2)) KBUILD_CFLAGS_32 :=3D $(filter-out $(SPARC_REG_CFLAGS),$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 +=3D -m32 -msoft-float -fpic diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile index 54d3e9774d62..9e912b6a889c 100644 --- a/arch/x86/entry/vdso/Makefile +++ b/arch/x86/entry/vdso/Makefile @@ -62,7 +62,7 @@ ifneq ($(RETPOLINE_VDSO_CFLAGS),) endif endif =20 -$(vobjs): KBUILD_CFLAGS :=3D $(filter-out $(PADDING_CFLAGS) $(CC_FLAGS_LTO= ) $(CC_FLAGS_CFI) $(RANDSTRUCT_CFLAGS) $(GCC_PLUGINS_CFLAGS) $(RETPOLINE_CF= LAGS),$(KBUILD_CFLAGS)) $(CFL) +$(vobjs): KBUILD_CFLAGS :=3D $(filter-out $(PADDING_CFLAGS) $(CC_FLAGS_LTO= ) $(CC_FLAGS_CFI) $(RANDSTRUCT_CFLAGS) $(STACKLEAK_CFLAGS) $(GCC_PLUGINS_CF= LAGS) $(RETPOLINE_CFLAGS),$(KBUILD_CFLAGS)) $(CFL) $(vobjs): KBUILD_AFLAGS +=3D -DBUILD_VDSO =20 # @@ -123,6 +123,7 @@ KBUILD_CFLAGS_32 :=3D $(filter-out -mcmodel=3Dkernel,$(= KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 :=3D $(filter-out -fno-pic,$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 :=3D $(filter-out -mfentry,$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 :=3D $(filter-out $(RANDSTRUCT_CFLAGS),$(KBUILD_CFLAGS_32= )) +KBUILD_CFLAGS_32 :=3D $(filter-out $(STACKLEAK_CFLAGS),$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 :=3D $(filter-out $(GCC_PLUGINS_CFLAGS),$(KBUILD_CFLAGS_3= 2)) KBUILD_CFLAGS_32 :=3D $(filter-out $(RETPOLINE_CFLAGS),$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 :=3D $(filter-out $(CC_FLAGS_LTO),$(KBUILD_CFLAGS_32)) diff --git a/scripts/Makefile.gcc-plugins b/scripts/Makefile.gcc-plugins index 33ddf5bfda34..e27ffe8e7c75 100644 --- a/scripts/Makefile.gcc-plugins +++ b/scripts/Makefile.gcc-plugins @@ -22,20 +22,6 @@ export DISABLE_STRUCTLEAK_PLUGIN gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STRUCTLEAK) \ +=3D -DSTRUCTLEAK_PLUGIN =20 -gcc-plugin-$(CONFIG_GCC_PLUGIN_STACKLEAK) +=3D stackleak_plugin.so -gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK) \ - +=3D -DSTACKLEAK_PLUGIN -gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK) \ - +=3D -fplugin-arg-stackleak_plugin-track-min-size=3D$(CONFIG_STACKLEAK_T= RACK_MIN_SIZE) -gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK) \ - +=3D -fplugin-arg-stackleak_plugin-arch=3D$(SRCARCH) -gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK_VERBOSE) \ - +=3D -fplugin-arg-stackleak_plugin-verbose -ifdef CONFIG_GCC_PLUGIN_STACKLEAK - DISABLE_STACKLEAK +=3D -fplugin-arg-stackleak_plugin-disable -endif -export DISABLE_STACKLEAK - # All the plugin CFLAGS are collected here in case a build target needs to # filter them out of the KBUILD_CFLAGS. GCC_PLUGINS_CFLAGS :=3D $(strip $(addprefix -fplugin=3D$(objtree)/scripts/= gcc-plugins/, $(gcc-plugin-y)) $(gcc-plugin-cflags-y)) -DGCC_PLUGINS @@ -50,6 +36,8 @@ gcc-plugin-external-$(CONFIG_GCC_PLUGIN_SANCOV) \ +=3D sancov_plugin.so gcc-plugin-external-$(CONFIG_GCC_PLUGIN_RANDSTRUCT) \ +=3D randomize_layout_plugin.so +gcc-plugin-external-$(CONFIG_GCC_PLUGIN_STACKLEAK) \ + +=3D stackleak_plugin.so =20 # All enabled GCC plugins are collected here for building in # scripts/gcc-scripts/Makefile. diff --git a/scripts/Makefile.stackleak b/scripts/Makefile.stackleak new file mode 100644 index 000000000000..1db0835b29d4 --- /dev/null +++ b/scripts/Makefile.stackleak @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: GPL-2.0 + +ifdef CONFIG_GCC_PLUGIN_STACKLEAK +stackleak-cflags-y +=3D -fplugin=3D$(objtree)/scripts/gcc-plugins/stacklea= k_plugin.so +stackleak-cflags-y +=3D -fplugin-arg-stackleak_plugin-track-min-size=3D$(C= ONFIG_STACKLEAK_TRACK_MIN_SIZE) +stackleak-cflags-y +=3D -fplugin-arg-stackleak_plugin-arch=3D$(SRCARCH) +stackleak-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK_VERBOSE) +=3D -fplugin-arg-= stackleak_plugin-verbose +DISABLE_STACKLEAK :=3D -fplugin-arg-stackleak_plugin-disable +endif + +STACKLEAK_CFLAGS :=3D $(stackleak-cflags-y) + +export STACKLEAK_CFLAGS DISABLE_STACKLEAK + +KBUILD_CFLAGS +=3D $(STACKLEAK_CFLAGS) diff --git a/MAINTAINERS b/MAINTAINERS index dc535c67a745..9a2be2dd96c9 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -9827,8 +9827,6 @@ L: linux-hardening@vger.kernel.org S: Maintained T: git git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git for-ne= xt/hardening F: Documentation/kbuild/gcc-plugins.rst -F: include/linux/stackleak.h -F: kernel/stackleak.c F: scripts/Makefile.gcc-plugins F: scripts/gcc-plugins/ =20 @@ -12890,11 +12888,15 @@ F: Documentation/ABI/testing/sysfs-kernel-warn_co= unt F: arch/*/configs/hardening.config F: include/linux/overflow.h F: include/linux/randomize_kstack.h +F: include/linux/stackleak.h F: include/linux/ucopysize.h F: kernel/configs/hardening.config +F: kernel/stackleak.c F: lib/tests/randstruct_kunit.c F: lib/tests/usercopy_kunit.c F: mm/usercopy.c +F: scripts/Makefile.randstruct +F: scripts/Makefile.stackleak F: security/Kconfig.hardening K: \b(add|choose)_random_kstack_offset\b K: \b__check_(object_size|heap_object)\b --=20 2.34.1